The Dark Knight Returns: Joker malware analysis

CERT Polska analysed a Joker-family Android application available on Google Play (com.onmybeauty.beautycamera) that uses obfuscated code and a native-assisted decryption routine to obtain and load a DEX payload. The malware communicates with C2 (kamisatu.top), downloads an encrypted payload (Kuwan), intercepts SMS, binds to mobile networks, automates WebView interactions to perform premium subscription transactions on behalf of users (including extracting SMS PINs), and thus enables fraudulent premium subscriptions; the report includes MD5 hashes and URLs as IOCs.